---
title: Intercepting requests with WebScarab
course: intro_pentest
section: "Web-Based Exploitation"
layout: lesson
---

As previously mentioned, WebScarab is a very powerful tool. One of its many
roles is to function as a proxy server. Recall that a proxy sits between the
client (browser) and the server. While the proxy is running, all the web traffic
flowing into and out of your browser is passed through the program. Passing
traffic through a local proxy provides us with an amazing ability; by running
WebScarab in this mode, we are able to stop, intercept and even change the data
either before it arrives or after it leaves the browser. This is a subtle but
important point; the use of a proxy allows us to make changes to data in
transit. The ability to manipulate or view HTTP request or response information
has serious security implications.

Consider the following: some poorly coded websites rely on the use of hidden
fields to transmit information to and from the client. In these instances, the
programmer makes use of a hidden field of the form, assuming that the user won’t
be able to access it. Although this assumption is true for a normal user, anyone
leveraging the power of a proxy server will have the ability to access and
modify the hidden field.

The classic example of this scenario is the user who was shopping at an online
golf store. After browsing the selection, he decided to buy a driver for $299.
Being a security analyst, the astute shopper was running a proxy server and
noticed that the website was using a hidden field to pass the value of the
driver ($299) to the server when the “add to card” button was clicked. The
shopper set up his proxy to intercept the HTTP POST request. This means that
when the information was sent to the server, it was stopped at the proxy. The
shopper now had the ability to change the value of the hidden field. After
manually changing the value from $299 to $1, the request was made onto the
server. The driver was added to his shopping cart with the new total due was
$1.

Although this scenario is not as common as it used to be, it certainly
demonstrates the power of using a proxy to intercept and inspect HTTP requests
and responses.

To use WebScarab as an interceptor, you need to configure your browser to use a
proxy as discussed in the Spidering section of this chapter. Once your browser
is configured to use the proxy, you can start WebScarab by issuing in a terminal
window:

```
webscarab
```

You’ll need to restart WebScarab to use the “lite” version. Once WebScarab has
finished loading, you’ll need to click on the “Intercepts tab”. Next, you should
put a check box in both the “Intercept requests” and “Intercept responses” as
shown in the following image.

![](/img/courses/intro-pentest/webscarab1.png)

> You may want to leave the Intercept requests and Intercept responses unchecked
> until you are ready to test, as nearly every page involves these actions and
> intercepting everything before you are ready will make your browsing
> experience painfully slow.

With WebScarab set up as described, the proxy will stop nearly every transaction
and allow you to inspect or change the data. Luckily, if you find yourself in
this situation, WebScarab has included a “Cancel ALL Intercepts” button. This
can be handy to keep moving forward.

To change the values of a given field, wait for WebScarab to intercept the
request; then locate the variable you wish to change. At this point, you can
simply enter a new value in the “value” field and click the “Insert” button to
update the field with the new value.

Viewing HTTP response and requests can also be useful for discovering username
and password information. Just remember, the value in many of these fields will
be Base64 encoded. Although these values may look as though they are encrypted,
you should understand that Base64 is a form of encoding, not encryption.
Although these processes may sound similar, they are vastly different. Decoding
Base64 is a trivial task that can be accomplished with little effort using a
program or online tool.

It should be pointed out that there are many good proxy servers available to
assist you with the task of data interception. Don’t be afraid to explore other
proxy servers as well.
